So a few weeks ago I had a customer complaining about poor VPN performance for their Check Point Mobile IPSec clients, along with high gateway CPU utilization. After some investigation in the SmartView Monitor Users View, we found that the Phase2/IPSec settings (which is used for the vast majority of the traffic sent through the VPN) were still set to 3DES/SHA1 like this:
So even VPN clients that supported stronger and more efficient alternatives such as AES and SHA256 were not allowed to use them by the gateway. I assumed this was because this was a 10+ year old Check Point customer and these settings were brought forward through countless upgrades over the years. We moved it over to AES256/SHA256 in a change window and even with the much stronger algorithms, performance was substantially improved and the CPU was far less loaded. This is a well-known issue: sk98950: Slow traffic speed (high latency) when transferring files over VPN tunnel with 3DES encrypt...
So out of curiosity I pulled up this screen for a freshly installed R81.20 GA implementation in my training lab environment to see what the modern IPSec P2 defaults are...and they are still 3DES/SHA1 with no options for anything else? Surprising that two deprecated protocols are still the default on a new R81.20 installation, with no other option available to the clients by default. I understand the need for backwards compatibility for older clients, but are there really that many ancient VPN clients out there that don't support AES at all? SHA256 I could understand as it is relatively new.
Wouldn't the following be more appropriate going forward as default, even getting changed automatically by an upgrade or Jumbo HFA installation:
Allow the ancient clients to still work with 3DES/SHA1, but I assume the newer VPN clients would minimally try to select something more secure such as AES. DES-only clients would be out of luck, too bad so sad. This really needs to be addressed, and I assume it will be with the R82 VPN clients that will add support for IKEv2, I hope they still won't still be using 3DES/SHA1. In R82 SmartConsole demo mode it looks like this setting is AES-256/SHA1.
Thanks for reading!
| User | Count |
|---|---|
| 6 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 |
Tue 01 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live Salzburg - Maintenance and Upgrade Best PracticesTue 01 Oct 2024 @ 03:00 PM (CEST)
Mastering Cyber Compliance: From Regulation to LegislationThu 03 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live BeLux: How to stay compliant with NIS-2 and DORA with Compliance Management SolutionThu 03 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live Vienna - Identity Awareness Best Practices and Harmony Sase UpdatesTue 08 Oct 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: Vulnerabilities and workarounds, a story of compromise (APAC)Tue 01 Oct 2024 @ 03:00 PM (CEST)
Mastering Cyber Compliance: From Regulation to LegislationThu 03 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live BeLux: How to stay compliant with NIS-2 and DORA with Compliance Management SolutionTue 08 Oct 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: Vulnerabilities and workarounds, a story of compromise (APAC)Tue 08 Oct 2024 @ 10:00 AM (CEST)
No Suits, No Ties: Vulnerabilities and workarounds, a story of compromise (EMEA)Tue 08 Oct 2024 @ 11:00 AM (EDT)
No Suits, No Ties: Vulnerabilities and workarounds, a story of compromise (Americas)Wed 09 Oct 2024 @ 05:00 PM (CEST)
TechTalk: The New Quantum DDoS Protector Integration with PlayBlocksTue 01 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live Salzburg - Maintenance and Upgrade Best PracticesThu 03 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live Vienna - Identity Awareness Best Practices and Harmony Sase Updates
.png "Wolfgang"){kind=avatar}
